awesome-linux-rootkits

🔑 feature table

Environment:

• CPU architecture
• Kernel/User mode (or mixed)

Core capabilities:

• Persistency
• Management interface
• Altering system (library) behavior

Stealth capabilities:

• Detection evasion
• System logs cleaning (filtering)

Hiding stuff capabilities:

• Hiding of files and directories
• Hiding (tampering) of file contents
• Hiding of processes and process trees
• Hiding of network connections and activity
• Hiding of process accounting information (like CPU usage)

Additional functions:

• Keylogger
• Backdoor/shell
• Gaining priveleges

🙈 user mode rootkits

• mempodippy/vlany

  Linux LD_PRELOAD rootkit (x86 and x86_64 architectures)

• unix-thrust/beurk

  BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.

• chokepoint/azazel

  Azazel is a userland rootkit based off of the original LD_PRELOAD technique from Jynx rootkit.

• chokepoint/Jynx2

  JynxKit2 is an LD_PRELOAD userland rootkit based on the original JynxKit.

• chokepoint/jynxkit

  JynxKit is an LD_PRELOAD userland rootkit for Linux systems with reverse connection SSL backdoor

• NexusBots/Umbreon-Rootkit

  LD_PRELOAD based

• ChristianPapathanasiou/apache-rootkit

  A malicious Apache module with rootkit functionality

🙉 kernel mode rootkits

• jermeyyy/rooty

  Academic project of Linux rootkit made for Bachelor Engineering Thesis.

• trailofbits/krf

  A kernelspace randomized syscall faulter for Linux 4.15+

• f0rb1dd3n/Reptile ⚡️ details ⚡️

  Reptile is a LKM rootkit written for evil purposes that runs on Linux kernel 2.6.x/3.x/4.x

• QuokkaLight/rkduck ⚡️ details ⚡️

  rkduck - Rootkit for Linux v4

• croemheld/lkm-rootkit

  A LKM rootkit for most newer kernel versions.

• mncoppola/suterusu

  An LKM rootkit targeting Linux 2.6.x/3.x on x86, and ARM

• romeroperezabel/ARP-RootKit

  An open source rootkit for the Linux Kernel to develop new ways of infection/detection.

• nurupo/rootkit

  Linux rootkit for Ubuntu 16.04 and 10.04 (Linux Kernels 4.4.0 and 2.6.32), both i386 and amd64

• m0nad/Diamorphine

  LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x (x86 and x86_64)

• ivyl/rootkit

  Sample Rootkit for Linux

• deb0ch/toorkit

  A simple useless rootkit for the linux kernel

• vrasneur/randkit

  Random number rootkit for the Linux kernel

• Eterna1/puszek-rootkit

  Yet another LKM rootkit for Linux. It hooks syscall table.

• trimpsyw/adore-ng

  linux rootkit adapted for 2.6 and 3.x

• bones-codes/the_colonel

  An experimental linux kernel module (rootkit) with a keylogger and built-in IRC bot

• David-Reguera-Garcia-Dreg/enyelkm

  LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry.

• falk3n/subversive

  x86_64 linux rootkit using debug registers

• jiayy/lkm-rootkit

  An lkm rootkit support x86/64,arm,mips

• a7vinx/liinux

  A linux rootkit works on kernel 4.0.X or higher

• hanj4096/wukong

  Wukong: a LKM rootkit for Linux kernel 2.6.x, 3.x and 4.x

• varshapaidi/Kernel_Rootkit

  Linux Kernel Rootkit - To hide modules and ssh service

• kacheo/KernelRootkit

  Linux kernel rootkit to hide certain files and processes.

• dsmatter/brootus

  bROOTus is a Linux kernel rootkit that comes as a single LKM (Loadable Kernel Module) and it is totally restricted to kernel 2.6.32.

• jarun/keysniffer

  A Linux kernel module to grab keys pressed in the keyboard.

• PinkP4nther/Sutekh

  An example rootkit that gives a userland process root permissions (x86, 4.x)

• En14c/LilyOfTheValley

  LilyOfTheValley is a simple LKM linux kernel rootkit for v4.x that works on (x86 and x86_64)

• NoviceLive/research-rootkit

  This is LibZeroEvil & the Research Rootkit project, in which there are step-by-step, experiment-based courses that help to get you started and keep your hands dirty with offensive or defensive development in the Linux kernel (LibZeroEvil).

• NinnOgTonic/Out-of-Sight-Out-of-Mind-Rootkit ⚡️ writeup ⚡️

  Out of Sight, Out of Mind is a study and implementation of Linux rootkit methods. In addition a new covert network channel using additional Domain Name System (DNS) is implemented.

• h3xduck/Umbra

  An experimental LKM rootkit for v4.x/5.x kernels which opens a backdoor that can be used to get a reverse shell remotely.

• kris-nova/boopkit

  Linux backdoor, rootkit, and eBPF bypass tools. Remote command execution over raw TCP.

• milabs/kopycat

  KOPYCAT - Linux Kernel module-less implant (backdoor).

• h3xduck/TripleCross

  A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.

• carloslack/KoviD

Linux 4.18+ rootkit with multiple reverse backdoors, task management, CPU usage hiding, stealth techniques, ELF infection and evasion from anti-rooktiks based on eBPF.

• reveng007/reveng_rtkit

  Linux Loadable Kernel Module (LKM) based rootkit capable of hiding itself, processes/implants, rmmod proof, has ability to bypass infamous rkhunter antirootkit.

🙊 related stuff

• landhb/DrawBridge

  A layer 4 Single Packet Authentication (SPA) Module, used to conceal TCP ports on public facing machines and add an extra layer of security.

• gianlucaborello/libprocesshider

  Hide a process under Linux using the ld preloader

• spiderpig1297/kprochide

  LKM for hiding processes from the userland. The module is able to hide multiple processes and is able to dynamically receive new processes to hide.

• spiderpig1297/kfile-over-icmp

  kfile-over-icmp is a loadable kernel module for stealth sending of files over ICMP communication.

• spiderpig1297/kunkillable

  LKM (loadable kernel module) that makes userland processes unkillable.

• https://web.archive.org/web/20140701183221/https://www.thc.org/papers/LKM_HACKING.html

  Heroin, an LKM based rootkit, and many more LKM based rootkit techniques (it's backdated, but posses powerful knowledge).

Contributing

Please refer the guidelines at contributing.md for details